--- # Copyright 2023, BBC R&D # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - name: Initial facts gathering and venv setup hosts: k8s_all gather_facts: false tags: - always - k8s-venv tasks: - name: Gather minimal facts for k8s setup: gather_subset: - "!all" - min when: osa_gather_facts | default(True) - name: ensure python3 virtualenv is present ansible.builtin.package: name: - python3-venv - python3-setuptools when: ansible_facts['os_family'] == 'Debian' - name: ensure ansible target venv is present ansible.builtin.pip: name: - packaging virtualenv_command: "python3 -m venv" virtualenv: "{{ ansible_collection_kubernetes_target_venv }}" when: ansible_collection_kubernetes_target_venv is defined - name: Create and configure k8s container hosts: k8s_all serial: "{{ k8s_serial | default('20%') }}" gather_facts: true user: root pre_tasks: - import_role: name: openstack.osa.lxc_container_setup vars: list_of_bind_mounts: - bind_dir_path: '/usr/lib/modules' mount_path: '/usr/lib/modules' - bind_dir_path: '/usr/src' mount_path: '/usr/src' - bind_dir_path: '/dev/kmsg' mount_path: '/dev/kmsg' create: file extra_container_config: - 'security.privileged=true' - 'security.nested=true' - 'raw.lxc="lxc.apparmor.profile=unconfined"' - 'lxc.cap.drop=' - 'lxc.cgroup.devices.allow=a' - 'lxc.cgroup2.devices.allow=a' when: not is_metal - include_tasks: common-tasks/unbound-clients.yml when: - hostvars['localhost']['resolvconf_enabled'] | bool - name: ensure kernel headers are installed on host vars: _kernel_package_prefix: redhat: 'kernel-headers' debian: 'linux-headers' package: name: "{{ _kernel_package_prefix[ansible_facts['os_family']|lower]}}-{{ ansible_facts['kernel'] }}" state: present delegate_to: "{{ physical_host }}" when: not is_metal roles: - role: "openstack.osa.system_crontab_coordination" - role: "systemd_service" systemd_services: - service_name: bpf-mount execstarts: /usr/bin/bash -c '/usr/bin/mount bpffs -t bpf /sys/fs/bpf && /usr/bin/mount --make-shared /sys/fs/bpf' - service_name: cilium-cgroup2-mount execstarts: /usr/bin/bash -c 'mkdir -p /run/cilium/cgroupv2 && /usr/bin/mount -t cgroup2 none /run/cilium/cgroupv2 && /usr/bin/mount --make-shared /run/cilium/cgroupv2' # environment: "{{ deployment_environment_variables | default({}) }}" tags: - k8s-container - k8s - name: Configure haproxy services import_playbook: openstack.osa.haproxy_service_config.yml vars: service_group: k8s_all service_variable: "k8s_haproxy_services" when: groups[service_group] | length > 0 tags: - haproxy-service-config - name: Install kubernetes hosts: k8s_all gather_facts: true serial: "{{ k8s_serial | default('20%') }}" user: root vars: k8s_node_labels: openstack-control-plane: enabled ansible_python_interpreter: "{{ ansible_collection_kubernetes_target_venv ~ '/bin/python' }}" roles: - role: "vexxhost.containers.containerd" - role: "vexxhost.kubernetes.kubernetes" - role: "vexxhost.kubernetes.helm" - role: "vexxhost.kubernetes.cilium" environment: "{{ deployment_environment_variables | default({}) }}" tasks: - kubernetes.core.k8s: definition: apiVersion: v1 kind: Node metadata: name: "{{ inventory_hostname }}" labels: "{{ k8s_node_labels }}" tags: - k8s - k8s-install - name: Install cluster_api hosts: k8s_all gather_facts: true user: root vars: ansible_python_interpreter: "{{ ansible_collection_kubernetes_target_venv ~ '/bin/python' }}" roles: - role: "vexxhost.kubernetes.cert_manager" - role: "vexxhost.kubernetes.cluster_api" # environment: "{{ deployment_environment_variables | default({}) }}" tags: - cluster-api